Headline
CVE-2022-39297: added allowed_classes=false param to unserialize func · melisplatform/melis-cms@d124b24
MelisCms provides a full CMS for Melis Platform, including templating system, drag’n’drop of plugins, SEO and many administration tools. Attackers can deserialize arbitrary data on affected versions of melisplatform/melis-cms, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to melisplatform/melis-cms >= 5.0.1. This issue was addressed by restricting allowed classes when deserializing user-controlled data.
@@ -1537,14 +1537,14 @@ private function prepareDbConfigs($siteId, $siteName, &$dbConfigs)
if ($dbConfig[‘sconf_lang_id’] == '-1’) {
$dbConfig[‘sconf_datas’] = [
‘site’ => [
$siteName => unserialize($dbConfig[‘sconf_datas’]),
$siteName => unserialize($dbConfig[‘sconf_datas’], [‘allowed_classes’ => false]),
],
];
} else {
$dbConfig[‘sconf_datas’] = [
‘site’ => [
$siteName => [
$siteId => unserialize($dbConfig[‘sconf_datas’])
$siteId => unserialize($dbConfig[‘sconf_datas’], [‘allowed_classes’ => false])
],
],
];
Related news
POP chain crafted to demonstrate exploitability
### Impact Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-cms`, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-cms` >= 5.0.1. ### Patches This issue was addressed by restricting allowed classes when deserializing user-controlled data. ### References - https://github.com/melisplatform/melis-cms/commit/d124b2474699a679a24ec52620cadceb3d4cec11 ### For more information If you have any questions or comments about this advisory, you can contact: - The original reporters, by sending an email to vulnerability.research [at] sonarsource.com; - The maintainers, by opening an issue on this repository.